Action Gate Governance Hub
The Action Gate protocol (CLAUDE.md §“Action gate (2026-03-31)”) creates a two-tier permission system for all Claude actions: read-only operations (reads, searches, log checks, status queries) proceed without confirmation, while side-effect operations (file writes, file deletes, service restarts, script execution, API calls with side effects) require Henry’s explicit confirmation before execution — unless session-level authorization has been granted. This hub documents G-SAFE-ACTION terminology, the scope and limits of session-level authorization, references to feedback_action_gate_violation_repeated, and all related feedback rules. Enforcement mode is manual.
Quick reference
| Field | Value |
|---|---|
| Gate ID | G-SAFE-ACTION (informal; codified in CLAUDE.md §“Action gate (2026-03-31)“) |
| CLAUDE.md section | §“Action gate (2026-03-31)” (line ~34) |
| Enforcement mode | manual (Claude self-enforces; pre-bash-check.sh hook adds safety layer) |
| Validator script | /home/opsadmin/.openclaw/tools/hooks/pre-bash-check.sh (advisory, not blocking) |
| Discord alert | pending |
| Feedback rules | feedback_action_gate_violation_repeated, feedback_probe_before_execute, feedback_never_send_without_auth, feedback_archive_not_delete, feedback_tailscale_serve_strict_approval, feedback_cloudflare_plan_before_execute |
| Incidents derived from | Unauthorized service restart (2026-04); salesmsg-gateway.service hardcoded ANTHROPIC_API_KEY; TOOLS.md 15+ plaintext keys 24+ days rw-rw-r— |
| Violable by | Claude |
| Last known violation | 2026-04: service restart executed without explicit Henry confirmation |
| Amendment | n/a (predates §A1; introduced 2026-03-31) |
| Phase status | active |
| Last audit | 2026-05-03 |
Components
~/CLAUDE.md§“Action gate (2026-03-31)” — authoritative gate definition/home/opsadmin/.openclaw/tools/hooks/pre-bash-check.sh— PreToolUse hook; logs bash commands to audit log/home/opsadmin/.openclaw/logs/claude-code-audit.log— audit log for all Claude tool actions/home/opsadmin/.claude/projects/-home-opsadmin/memory/feedback_action_gate_violation_repeated.md— incident-derived rule/home/opsadmin/.openclaw/workspace/FUNNEL-REGISTRY.md— webhook endpoint registry (governs public endpoint creation)
Action gate classification
Tier 1 — Act directly, no confirmation needed (read-only)
| Operation type | Examples |
|---|---|
| File reads | cat, head, tail, Read tool calls |
| Search operations | grep, find, glob, workspace_query |
| Log checks | journalctl, tail -f /tmp/openclaw/*.log |
| Status queries | systemctl status, ss -tlnp, pm2 list |
| API reads (no side effects) | GET endpoints, supabase_query SELECT |
Tier 2 — State intended action, wait for explicit confirmation
| Operation type | Examples | Why gated |
|---|---|---|
| File writes | Write, Edit, echo > | Irreversible content changes |
| File deletes | rm, trash, unlink | Data loss risk; use archive pattern |
| Service restarts | systemctl restart, pm2 restart | Live traffic interruption |
| Service starts (new) | systemctl start (new unit) | G-SERVICE-PRE-START-DOC required first |
| Script execution with side effects | node script.js (no --dry-run) | External API calls, DB writes |
| API calls with side effects | POST/PUT/DELETE endpoints | SMS sends, HubSpot writes, deal creation |
| Credential operations | op write, key rotation | G-NO-PLAINTEXT-CREDS enforcement |
| Public endpoint changes | Tailscale Funnel, Cloudflare Tunnel edits | Webhook governance |
Session-level authorization
Henry can grant session-level authorization with phrases like:
- “go ahead and execute”
- “do all of them”
- “approved” on a plan
Scope: Session-level authorization covers exactly what was authorized — it is not open-ended for future requests. If the scope of work expands, re-confirm.
Does not carry over to the next session. Authorization expires when the conversation ends.
G-SAFE-ACTION enforcement points
Pre-bash-check.sh hook
The pre-bash-check.sh hook fires on every Bash tool call (PreToolUse). It:
- Logs the command to
claude-code-audit.logwith timestamp + session ID - Flags commands matching dangerous patterns (rm -rf, force-push, etc.)
- Does NOT block execution — advisory only (Henry can strengthen this in Phase 2)
Webhook endpoint gate (FUNNEL-REGISTRY.md)
Per CLAUDE.md §“MANDATORY: Webhook Endpoint Governance”: before ANY public webhook endpoint addition, check FUNNEL-REGISTRY first. New public endpoints require:
- (a) IP filter if provider ranges exist
- (b) signature verification OR query-param token
- (c) dedup via
processed_webhook_events - (d) non-blocking
webhook_audit_logwrite with local file fallback
Tailscale Funnel strict approval
feedback_tailscale_serve_strict_approval — any tailscale serve or tailscale funnel command requires explicit approval + FUNNEL-REGISTRY.md update BEFORE execution.
Cloudflare plan-before-execute
feedback_cloudflare_plan_before_execute — Cloudflare DNS/WAF/Tunnel changes require a written plan reviewed by Henry before any live change.
How it’s used
- Trigger condition: Claude is about to execute any Tier 2 operation
- Workflow: (1) Identify operation tier → (2) If Tier 2: state “I intend to [action] — is that OK?” → (3) Wait for explicit confirmation → (4) Execute → (5) Log to audit trail
- Agents involved: Claude-as-executor in main conversation; Aurora does NOT bypass action gate for outbound SMS (enforced by feedback_aurora_outbound_guardrails)
- Failure mode: Side-effect executed without confirmation → unintended SMS sent, wrong service restarted, credentials exposed, deal created in wrong pipeline
- Success criteria: Zero unauthorized side-effects; every Tier 2 action has a prior confirmation in the conversation history
Special cases
Archive, don’t delete
feedback_archive_not_delete — Never rm a plan, script, or config file. Move to _retired/ or _archive/ directory instead. Deletion is always Tier 2; archiving still Tier 2 but preferred pattern.
Service restarts require pre-start doc
Per G-SERVICE-PRE-START-DOC: any systemctl start for a new unit requires the unit to already exist in CLAUDE.md port map AND workspace/ARCHITECTURE.md service table BEFORE the start command is issued.
SMS sends — never without auth
feedback_never_send_without_auth — All outbound SMS (SalesMsg, Twilio, OpenPhone) are Tier 2, always. No session-level authorization carries over to next-session SMS sends.
Cross-links
Agents that touch this
- _summary — all outbound SMS subject to action gate
- _summary — HubSpot deal creation is Tier 2
- _summary — buyer blast is Tier 2
Skills that invoke this
- acquisitions-outreach — outreach execution requires explicit Henry auth
- dispo-blast — blast execution gated; —dry-run always first
- acquisitions-followup — follow-up sends subject to action gate
Plans that govern this
- openclaw-fragmentation-fix-2026-05-01 — Phase 2: enforcement crons for action gate audit
- nemoclaw-audit-2026-05-03 — cred-proxy (B1) would remove some Tier 2 credential operations from agent context entirely
Feedback rules
- feedback_action_gate_violation_repeated — core incident-derived rule
- feedback_probe_before_execute — probe + inspect before any destructive command
- feedback_never_send_without_auth — SMS sends always require explicit auth
- feedback_archive_not_delete — archive pattern for file removal
- feedback_tailscale_serve_strict_approval — Tailscale Funnel strict gating
- feedback_cloudflare_plan_before_execute — Cloudflare changes need written plan
- feedback_no_plaintext_creds — credential writes are Tier 2 with extra scrutiny
- feedback_credentials_in_chat — never paste credentials in conversation
- feedback_credential_pipe_required — pipe credentials via 1P CLI, not env echo
- feedback_credentials_via_1password_cli — op CLI is only approved credential pipe
- feedback_always_redact_grep_output — grep output showing keys must be redacted
- feedback_credentials_repeat_exposure — credential exposure compounds with time
KB / source docs
- README — credential fetch patterns via op CLI
- WEBHOOK-IP-RANGES — IP filter ranges for webhook endpoints
System maps
- auth-chain-map — authentication chain showing credential flow
- governance-gates-network — action gate in gate topology
Related cluster
Governance enforcement cluster (anchor: g-gates-network):
- sources-first — verify sources before any Tier 2 action
- blockers-first — surface blockers before authorizing
- plan-governance — plan-level authorization tracking
- compliance-gates — pre-send compliance gates for SMS
- 1password — credential layer for secure Tier 2 ops
Feedback rule inventory
| Rule | Cluster | Enforcement | Last fire |
|---|---|---|---|
| feedback_action_gate_violation_repeated | governance | manual (pre-bash-check advisory) | 2026-04 (service restart) |
| feedback_probe_before_execute | governance | manual | 2026-04 |
| feedback_never_send_without_auth | messaging | manual | 2026-04 |
| feedback_archive_not_delete | governance | manual | unknown |
| feedback_tailscale_serve_strict_approval | infra | manual | 2026-05-01 |
| feedback_cloudflare_plan_before_execute | infra | manual | 2026-05-01 |
| feedback_no_plaintext_creds | security | manual | 2026-05-03 (TOOLS.md audit) |
| feedback_credentials_in_chat | security | manual | 2026-05-02 |
| feedback_credential_pipe_required | security | manual | 2026-05-02 |
| feedback_credentials_via_1password_cli | security | manual | 2026-05-02 |
| feedback_always_redact_grep_output | security | manual | 2026-05-03 |
| feedback_credentials_repeat_exposure | security | manual | 2026-05-03 |
Open issues / TODOs
pre-bash-check.shis advisory-only; Phase 2 should add blocking mode for destructive commands- Audit log at
claude-code-audit.lognot reviewed regularly — no alert on violation patterns - salesmsg-gateway.service still has hardcoded
ANTHROPIC_API_KEYin plaintext — P0 rotation pending (see salesmsg) - TOOLS.md 15+ plaintext secrets exposure documented but remediation status unclear
Recent activity
- 2026-05-03: hub created (W2-S1)
- 2026-03-31: action gate introduced (two-tier read/write split)
- 2026-04: first recorded violation — service restart without confirmation